diff --git a/docs/faq.rst b/docs/faq.rst index 494069587..07bb11a3e 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -353,6 +353,28 @@ to change them. Security ######## +.. _home_config_borg: + +How important is the $HOME/.config/borg directory? +-------------------------------------------------- + +The Borg config directory has content that you should take care of: + +``security`` subdirectory + Each directory here represents one Borg repository by its ID and contains the last known status. + If a repository's status is different from this information at the beginning of BorgBackup + operation, Borg outputs warning messages and asks for confirmation, so make sure you do not lose + or manipulate these files. However, apart from those warnings, a loss of these files can be + recovered. + +``keys`` subdirectory + In this directory all your repository keyfiles are stored. You MUST make sure to have an + independent backup of these keyfiles, otherwise you cannot access your backups anymore if you lose + them. You also MUST keep these files secret; everyone who gains access to your repository and has + the corresponding keyfile (and the key passphrase) can extract it. + +Make sure that only you have access to the Borg config directory. + .. _cache_security: Do I need to take security precautions regarding the cache? @@ -366,8 +388,8 @@ same system which also contains the original files which are being backed up. So someone with access to the cache files would also have access the the original files anyway. -If you ever need to move the cache to a different location, this can -be achieved by using the appropriate :ref:`env_vars`. +The Internals section contains more details about :ref:`cache`. If you ever need to move the cache +to a different location, this can be achieved by using the appropriate :ref:`env_vars`. How can I specify the encryption passphrase programmatically? ------------------------------------------------------------- diff --git a/docs/usage_general.rst.inc b/docs/usage_general.rst.inc index a6b35feaa..7a89cb470 100644 --- a/docs/usage_general.rst.inc +++ b/docs/usage_general.rst.inc @@ -230,8 +230,6 @@ General: in systemd.nspawn containers on some architectures (e.g. ARM). Using this does not affect data safety, but might result in a more bursty write to disk behaviour (not continuously streaming to disk). - TMPDIR - where temporary files are stored (might need a lot of temporary space for some operations), see tempfile_ for details Some automatic "answerers" (if set, they automatically answer confirmation questions): BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no (or =yes) @@ -251,22 +249,26 @@ Some automatic "answerers" (if set, they automatically answer confirmation quest Directories and files: BORG_BASE_DIR - Default to '$HOME', '~$USER', '~' (in that order)'. + Defaults to '$HOME', '~$USER', '~' (in that order)'. If we refer to ~ below, we in fact mean BORG_BASE_DIR. BORG_CACHE_DIR - Default to '~/.cache/borg'. This directory contains the local cache and might need a lot + Defaults to '~/.cache/borg'. This directory contains the local cache and might need a lot of space for dealing with big repositories. Make sure you're aware of the associated security aspects of the cache location: :ref:`cache_security` BORG_CONFIG_DIR - Default to '~/.config/borg'. This directory contains the whole config directories. + Defaults to '~/.config/borg'. This directory contains the whole config directories. See FAQ + for security advisory about the data in this directory: :ref:`home_config_borg` BORG_SECURITY_DIR - Default to '~/.config/borg/security'. This directory contains information borg uses to + Defaults to '~/.config/borg/security'. This directory contains information borg uses to track its usage of NONCES ("numbers used once" - usually in encryption context) and other security relevant data. Will move with BORG_CONFIG_DIR variable unless specified. BORG_KEYS_DIR - Default to '~/.config/borg/keys'. This directory contains keys for encrypted repositories. + Defaults to '~/.config/borg/keys'. This directory contains keys for encrypted repositories. BORG_KEY_FILE When set, use the given filename as repository key file. + TMPDIR + This is where temporary files are stored (might need a lot of temporary space for some + operations), see tempfile_ for details. Building: BORG_OPENSSL_PREFIX